max-moser/network-manager-wireguard

AllowedIPs not working properly

jhuber1965 opened this issue · 0 comments

jhuber1965 commented

Hello!

I am running Ubuntu 20.04 LTS with NetworkManager version 1.22.10

The WireGuard configuration is :

[Interface]
PrivateKey = removed
Address = 10.200.85.2/32
MTU = 1412
DNS = 10.200.85.1

[Peer]
PublicKey = removed
Endpoint = removed
AllowedIPs = 0.0.0.0/0

When starting the VPN through NetworkManager, this works as expected, and all traffic is routed through the VPN. However, I only want traffic for 10.x.x.x routed through the VPN. If I set AllowedIPs = 10.0.0.0/8 in the NetworkManager WireGuard dialog box, nothing is routed through the VPN. This latter change works fine and as expected when using sudo wg-quick up from the command line.

When the VPN is started from NetworkManager:

jhuber@t5610:~$ sudo wg
interface: APC-Wireguard
  public key: <removed>
  private key: (hidden)
  listening port: 60669

peer: <removed>
  endpoint: x.x.x.x:51820
  allowed ips: 10.0.0.0/8
  latest handshake: 13 seconds ago
  transfer: 380 B received, 372 B sent
jhuber@t5610:~$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp0s25
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 enp0s25
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 enp0s25
jhuber@t5610:~$ ip route get 10.0.15.113
10.0.15.113 via 192.168.0.1 dev enp0s25 src 192.168.0.31 uid 1000

When the VPN is started from the command line with sudo wg-quick up /home/jhuber/Desktop/APC-Wireguard.conf:

jhuber@t5610:~$ sudo wg
interface: APC-Wireguard
  public key: <removed>
  private key: (hidden)
  listening port: 51548

peer: <removed>
  endpoint: x.x.x.x:51820
  allowed ips: 10.0.0.0/8
  latest handshake: 8 seconds ago
  transfer: 7.42 KiB received, 4.99 KiB sent
jhuber@t5610:~$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp0s25
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 APC-Wireguard
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 enp0s25
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 enp0s25
jhuber@t5610:~$ ip route get 10.0.15.113
10.0.15.113 dev APC-Wireguard src 10.200.85.2 uid 1000

Comparing the two, there seems to be a route missing for APC-Wireguard when the VPN is started from within NetworkManager. Manually adding this missing route on the IPV4 tab for the WireGuard VPN in NetworkManager seems to solve the issue.